Forensicator: Guccifer 2.0’s Russian Breadcrumbs

Forensicator: Guccifer 2.0’s Russian Breadcrumbs

Editorial note: Forensicator recently published a report titled Guccifer 2’s Russian Breadcrumbs, digging out many new metadata clues found in the documents that Guccifer 2.0 modified before publishing them on their WordPress blog. That report builds on Forensicator’s previous work, which detailed the complex process that Guccifer 2.0 likely used to plant “Russian fingerprints” in the Trump opposition report that Guccifer 2.0 pre-disclosed to two legacy media outlets and later published.

Below, with permission from the author, we reproduce excerpted portions of the Forensicator’s latest report.

Introduction

In this report, Forensicator analyzes metadata left in the various documents that Guccifer 2 modified and then published on his WordPress blog. Some new discoveries are made, some revisited. Forensicator concludes that Guccifer 2’s consistent intent was to plant clues which connected Guccifer 2 to Russia. Except for one head fake, when Guccifer 2 was Romanian for a day.

This report builds on two previous articles: Did Guccifer 2 Plant his Russian Fingerprints? and Media Mishaps: Early Guccifer 2 Coverage. In those reports we analyze Guccifer 2’s first batch of documents that were published on his WordPress blog. We demonstrate that Guccifer 2 likely planted his “Russian fingerprints” into those documents. Those “Russian fingerprints” were widely covered by mainstream media and provided circumstantial support for the idea that Guccifer 2 was in fact a Russian operative (or a team of operatives), in spite of his rather clumsy attempts to cover his tracks.

The Guccifer 2 Narrative

In this report, we take the position that most of Guccifer 2’s metadata modifications were deliberate. Our position is at odds with mainstream media’s recital of events.

The MSM narrative, as best we understand it, is that Guccifer 2 initially slipped up — disclosing documents that were last saved using a user id written in Cyrillic; that user id made reference to a famous Russian spy chief.

Further, Guccifer 2’s first document, which he shared with two media outlets had Russian error messages embedded in the PDF’s that those media outlets published. These error messages became known as Guccifer 2’s “Russian fingerprints”, presumably left behind by accident. In Did Guccifer 2 Plant his Russian Fingerprints? we demonstrate that the process which Guccifer 2 likely used to plant those Russian error message was complex and deliberate.

An important point to make here is that Guccifer 2 modified 36 documents, published in several batches, and each batch has metadata that can be linked to Russia (or in one batch, Romania). Guccifer 2 often made minimal changes to a document apparently with no rhyme or reason; yet, Russian (Romanian) indications were the only tangible result that those changes had in common. Guccifer 2 explained away his document tweaks as simply a result of his desire to plant his hacker “water mark” (signature). The media accepted this explanation and viewed it as a clumsy (and obvious) effort to cover his initial (alleged) mistakes. We have a different opinion. We think that Guccifer 2’s main intent was to implant metadata that implicates Russia.

A point that is often lost in the flurry of details swirling around Guccifer 2.0 is that a metadata change will only “stick” if something in the document is modified and then that document is saved. This fact explains Guccifer 2’s tendency to make minimal changes to the documents that he tweaked. For the documents that we can compare to attachments in Wikileaks emails, we see that Guccifer 2 often just added some white space, modified a header/footer, and so on. In a typical scenario, these small changes were enough to convince the application (e.g., Microsoft Word) to record the “last saved by” user id (Guccifer 2’s “water mark”) and to record the current language setting in each modified document’s metadata. Although the media outlets focused on Guccifer 2’s quirky user id’s, we think that the real goal was to plant more meaningful metadata.

The Motherboard article raises the question that we keep banging into as we analyze Guccifer 2’s long trail of breadcrumbs (emphasis added).

Could all these breadcrumbs have been left on purpose? Of course, but then the explanation would be that someone has done an awful lot of work to leave evidence pointing to Russia in a blog post where he or she was claiming to have nothing to do with Russia.

As we have shown in our previous reports (and this one), Guccifer 2 did indeed make a concerted effort to strew breadcrumbs that linked his activities to Russia. In fact, the clues listed in the Motherboard article will prove to be just the tip of the iceberg.

Yet, in just one day, on the basis of flimsy evidence (such as Guccifer 2’s use of a “Russian smiley” in his blog post), the media was quick to conclude that Guccifer 2 was a team of Russian spies.

“Given the evidence in the docs only, it’s a weak attribution to a group in Russia,” Pwn All The Things [Matt Tait] told Motherboard in an online chat. “Given the evidence combined with everything else, I think it’s a strong attribution to one of the Russian intelligence agencies.”

Guccifer 2’s Metadata Mosaic

The following table summarizes all the metadata indications that we have found (to date) in the 36 files that Guccifer tweaked. Times shown are in GMT. The email screenshots (.png files) reflect the time that they were uploaded to Guccifer 2’s blog.

Above, we see five (5) batches of documents that Guccifer 2 either modified (the Word documents and spreadsheets) or created (the email screen shots). The “RU” entries that are in light red and the timezone offsets of GMT+3 and GMT+4 in bright red can be clearly identified as indications of possible Russian origin.

The GMT+4 indication is anomalous – before October, 2014 Western Russia followed Daylight Saving Time (during the summer months) and would have used a GMT+4 time offset . However, Russia dropped DST after October, 2014. In Guccifer 2’s West Coast Fingerprint we suggest that the GMT+4 time offset might be the result of using a system running Windows XP, then setting the timezone as Moscow with (default) automatic DST adjustment. Windows XP was not updated (based on our tests) to reflect the fact that Russia dropped Daylight Saving Time in 2014. If the OS had been updated, then in the summer of 2016 it should have used a timezone offset of GMT+3. It is surprising that a Russian computer expert would miss this and choose to use an incorrect timezone setting.

The batch of Word files dated June 30, 2016 all have Romanian (“RO”) language settings (in light orange). This has gone unnoticed in mainstream reporting. Recently, an anonymous blogger (Winston Smith) noticed this setting, but not in the broader context shown above. We discuss Smith’s findings in a following section.

The entries marked “EN” (in light blue) indicate English language settings. There are some entries for spreadsheets (.xlsx) that have English language indications, yet other spreadsheets have Russian indications. The batch of files dated July 6, 2016 are a special case; they were all written with LibreOffice. The version of LibreOffice indicates that it may have been installed recently and there may have been unnoticed installation issues, where the chosen language defaulted to US English. The combination of English language settings and a timezone offset of GMT+4 is surprising given the overall metadata picture.

Below, is an overview graphic with some of the detail above left out.

At first, this looks like a mixed picture. However, if we view the light red, dark red, and light orange blocks as being indicative of Russian origin then there were Russian attributions in every batch of modified files that Guccifer 2 published. Mainstream media focused on the first batch (notably the “Russian fingerprints” in the Trump opposition report). Media did notice Guccifer 2’s use of additional “watermarks” (unusual user names), but this was generally explained as a cover used to obscure Guccifer 2’s original choice of the very Russian “Феликс Эдмундович” (Felix Edmundovich) reference.

We explain in a later section that there is a scenario where the GMT-7 timezone offsets can be viewed as indications of Russian origin. That scenario is based on the assumption that Guccifer 2 made a particular mistake when saving those files.

In subsequent sections, we will also discuss some of the anomalous results.

[Editor: In the rest of Forensicator’s lengthy report are details which describe the derivation of the newly discovered metadata. Below, we excerpt the disclaimer and closing thoughts.]

Disclaimer

This report describes numerous examples of metadata found in documents that Guccifer 2 modified, where the metadata values can be linked to Russia. We call these values – “Russian breadcrumbs”. The presence of these breadcrumbs might seem at odds with the DOJ indictments of alleged Russian GRU hackers, because we are left wondering why would Guccifer 2 leave such an obvious trail to Russia? One explanation that has been given is that the Guccifer 2 team was in a hurry and careless. Another reason might be that the GRU agents wanted to make their presence known and were sending some sort of message. We take no position on those theories and rationales, but simply offer our interpretation of the facts at hand.

Also, to the degree that some theories that we develop might suggest that Guccifer 2 had team members or help inside the US, we emphasize that our theories should be considered hypothetical. We note that the DOJ indictments are not obligated to list all the facts in a case; there might be other information that hasn’t been disclosed publicly that would invalidate our theories or interpretations of the facts.